Tag: PCI DSS

At a recent meeting of the UK Merchants' PCI Working Group I mentioned that there was some soft case law in the form of ICO enforcement action which helps to answer the question of whether PCI DSS is sufficient to meet GDPR’s requirement for organisations to implement “appropriate technical

I’ve read some pretty amazing articles and blogs in the last week that show quite a misunderstanding about how criminals steal money, how payments work and how the new General Data Protection Regulation would both punish Tesco Bank and simultaneously remedy all ills. Cyber security and financial crime is

I put together this series of sample PCIP questions and answers to help a friend who was revising for her PCIP exam. She passed and so I hope you also find them useful. It is a while since I actually took a PCI SSC exam and so these questions might

It is rare for the DSS to get smaller, each version typically adds a few requirements based on lessons from forensic investigations of breaches of cardholder data. However, in the summary of changes from version 3.1 to version 3.2 published this week I noticed:

There’s quite a bit of misleading information on the internet about the status of pre-authorisation data. As far as all the card schemes are concerned there’s no difference between pre-authorisation data and post-authorisation data. If you store,

Hello

I’m John Elliott, a data protection specialist and Pluralsight author. I help organisations balance regulatory requirements like GDPR, NISD, PSD2 and the PCI standards with IT, information security and business objectives. More …

WithoutFire …

… it’s a metaphor for our industry. The saying goes that there’s no smoke without fire. In information security and data protection we can often smell the smoke but we choose to optimistically believe that there’s isn’t a fire, or perhaps we’ll be lucky and not get burnt. This generally isn’t a great idea.

Notices

This site is written by John Elliott of WithoutFire Ltd. The content of the site:

represents my personal views, not those of any clients or employers.

offers general advice about legislation and regulation and its interaction with technology. It is not intended to be legal advice.